Insurance Industry Moves Towards 72-Hour Breach Notification

Cybersecurity regulators appear to be converging on 72-hour breach notification. First it was the European Union’s General Data Protection Regulation (“GDPR”), then it was the New York Department of Financial Services (“NYDFS”) cybersecurity rules, and now the National Association of Insurance Commissioners (“NAIC”) have adopted the Insurance Data Security Model Law (“Model Law”) – all with a 72-hour breach notification requirement.

We have previously posted about how the Model Law closely tracks the NYDFS cybersecurity rules, which went into effect on August 28, 2017.

Both regimes require covered entities to maintain a written cybersecurity policy, implement a risk-based cybersecurity program, conduct regular risk assessments, provide notice of a cyber breach within 72 hours, and certify compliance annually. And both differ from other state cybersecurity regulations by expanding their definition of nonpublic information to include business-related information, in addition to personal information.

In some respects, the Model Law even goes beyond the NYDFS rules. For example, under the Model Law, any Cybersecurity Event – defined as “an event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such Information System” – triggers the 72-hour notification requirement, while the NYDFS rules require notification only when the company has suffered an attack that would trigger notice to a different regulatory authority or has a “reasonable likelihood of materially harming any material part of the normal operation” of the institution, which can be a higher standard. So, for example, a ransomware attack that does not expose confidential information, but does cause some non-material disruption to a company’s computer system, would not generally require notification under the NYDFS rules or state laws, but may require notification under the Model law.

Moreover, the Model Law would lead to regulation that requires companies to conduct a prompt investigation where a cybersecurity event has or may have occurred. That investigation must include determining whether a cybersecurity event has occurred, assessing the nature and scope of the event, and identifying any nonpublic information that may have been involved. As those involved in these kinds of investigations well know, in many cases, they are inconclusive, so knowing when you are in compliance with the investigation requirement may be tricky.

The Model Law will apply to Licensees of a state only if that state enacts it into law, but it is expected that some version of the Model Law will be introduced next year in several states’ legislatures, adding to the already crowded overlapping array of federal and state cybersecurity regulations to which many companies are subject. We will provide updates here of any important developments in this area.

Topics

Archives

Subscribe by Email

RELATED PROFESSIONALS

Mr. Gesser is a partner in Davis Polk’s Litigation Department. He represents clients in a wide range of cybersecurity issues, including compliance with various cybersecurity regulations, cybersecurity governance issues, cloud migration, data minimization, and cybersecurity risk disclosures. Mr. Gesser also counsels companies who have experienced cyber events by coordinating with experts to conduct investigations; communicating with regulators, law enforcement, insurers and auditors; assessing various federal, state and international regulatory disclosure obligations; and representing the companies in related civil litigation and regulatory investigations. He previously served as the Counsel to the Chief of the Justice Department, Criminal Division’s Fraud Section and as the Deputy Director of the Justice Department, Criminal Division’s Deepwater Horizon Task Force. In addition to his full-time practice, Mr. Gesser is a frequent writer and commentator on cybersecurity issues.

Mr. Leibowitz is a partner in Davis Polk’s Washington DC and New York offices. His practice focuses on the complex antitrust aspects of mergers and acquisitions as well as government and private antitrust investigations and litigation. He also provides counsel in the developing areas of consumer protection and privacy law as well as advocacy involving Congress.

Mr. MacBride is co-chair of the firm’s White Collar Criminal Defense and Government Investigations Group. His practice focuses on government enforcement actions, internal investigations, congressional investigations, and complex civil litigation. His matters have included advising clients in connection with foreign corrupt practices, economic sanctions, cybersecurity risks, False Claims Act violations, market manipulation, insider trading, and securities, health care, procurement and tax fraud. His wide-ranging investigations and trial experience span more than two decades and across all three branches of the government, most recently as the U.S. Attorney for the Eastern District of Virginia.

Mr. Perez-Marques is a partner in Davis Polk’s Litigation Department. His practice spans complex commercial litigation, including securities and M&A-related litigation, as well as securities enforcement and white collar matters. He also has extensive experience advising Spanish, Latin American and other foreign clients concerning U.S. litigation matters, and domestic clients concerning overseas and cross-border disputes.

Ms. Seshens is a partner in Davis Polk’s Litigation Department. Her practice focuses on complex commercial litigation, securities class actions, and bankruptcy litigation. She has extensive experience representing corporate clients and professional firms with respect to a wide range of civil litigation and advisory matters.

Ms. Gross is counsel in Davis Polk’s Intellectual Property and Technology Department in the Northern California office. Her practice includes a wide range of intellectual property-related matters, including strategic alliances, joint ventures and licensing, as well as intellectual property strategy and commercialization, copyright, patent and trademark matters. She also advises clients on data privacy and security matters, including cybersecurity, technology and data initiatives, development of privacy and data security policies and product development.

Disclaimer

cyberbreachcenter.com is a collection of informational products provided by Davis Polk & Wardwell LLP. In its capacity as provider of cyberbreachcenter.com and its component parts, Davis Polk is acting as an information provider.

cyberbreachcenter.com and its component parts do not constitute, and are not intended to constitute, legal advice with respect to any particular circumstance, do not create an attorney-client relationship with Davis Polk & Wardwell LLP or any of its associated entities and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances.

About Davis Polk

Davis Polk ranks among the world’s preeminent law firms. Known for our skillful work, the excellence and breadth of our practice has kept us at the forefront of matters that are shaping global business. Read More